FTP connection tracking module

Harald Welte laforge@gnumonks.org
Tue, 23 Oct 2001 14:20:13 +0200 

On Tue, Oct 23, 2001 at 01:57:58AM +0200, Ceache wrote:
> Hi,
> I'm using netfilter on my personnal lan at home and I'm greatly satisfied 
> with it.
> But, I miss a feature and I was thinking about implementing it. But first, 
> since I am an *ok* (I think ;p) programmer in C but I have never touched 
> anything like the linux kernel/modules nor firewalling solutions, I would 
> like some advice.
> 
> My idea is that, right now FTP conntrack is only listenning on port 21 (a 
> simple test against htons(21)).
> I would like to change that so that netfilter at best detects FTP trafics 
> automaticly or at least that there are some /proc trics to had some ports.

What do you think ist the following part of ip_conntrack_ftp.c for? ;)

#define MAX_PORTS 8
static int ports[MAX_PORTS];
static int ports_c;
#ifdef MODULE_PARM
MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
#endif

You have module load time parameters for specifying alternate ftp ports.

There have been long-time plans to make them runtime-changeable via sysctl(),
but it never got implemented.  If you want to do this, feel free to do so.

> I would ten times prefer the first behavior. I look into it and one of the 
> idea I thought of was to use dsniff type of mecanisism to guess the 
> protocol. Then creating a prerouting target that would mark packets 
> depending on protocols. (in my opinion, this sound like something really 
> neat for routing/filtering/QoS etc... than just rules based on port matching).
> But now I'm facing some problems :

It's way too expensive.  Up to which bandwidth do you think you can do
a couple of protocol detections on each packet?

I don't think that this is possible in any realistic scenario, sorry.

> I would really greatly appriciate anytime of comment about it (you can tell 
> me if you think I'm crazy ;P)
> 
> P.S. I'm french and, well, I'm sorry if my english sounds weird or if I 
> can't speel properly.

;) no problem. Most of the people here are no native english speakers.  I'm
german, for example.

> Charles-Henri de Boysson

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)